
Introduction
SA 402 applies when an entity uses a service organisation to perform functions that are relevant to financial reporting. These services may include payroll processing, cloud accounting, IT infrastructure, data management, or transaction processing.
This Standard explains how the auditor applies SA 315 (Identifying and Assessing the Risks of Material Misstatement) and SA 330 (Responses to Assessed Risks) in situations where activities are outsourced.
When an entity depends on a third party for critical processes, the auditor must evaluate how those services affect internal control and financial statements.
Objectives of the Auditor
The auditor must achieve the following objectives:
1. Obtain an Understanding of the Services
First, the auditor obtains a clear understanding of:
- The nature of services provided by the service organisation
- The significance of those services to the user entity
- The impact of those services on internal control relevant to the audit
The auditor uses this understanding to identify and assess the risks of material misstatement.
2. Design and Perform Responsive Procedures
After assessing the risks, the auditor designs and performs audit procedures that directly address those risks.
Accordingly, the audit approach must reflect the level of reliance placed on the service organisation.
Understanding Internal Controls at the Service Organisation
The auditor evaluates:
- Controls established at the service organisation
- The interaction between service organisation controls and user entity controls
- Complementary user entity controls that management must implement
In many engagements, the auditor may obtain evidence through:
- Type 1 or Type 2 service auditor’s reports (such as SOC 1 reports)
- Direct communication with the service organisation
- Additional substantive or control testing
However, even if the auditor considers the service auditor’s work, the user auditor retains full responsibility for the audit opinion.
Risk Assessment and Professional Judgment
The auditor applies professional skepticism while assessing:
- IT general controls
- Automated processing systems
- Data security and cybersecurity risks
- Outsourced financial reporting processes
If the service organisation processes significant transactions, the auditor increases the depth of testing and documentation.
Therefore, proper evaluation of third-party risk forms a critical part of audit planning.
Inability to Obtain Sufficient Appropriate Audit Evidence
If the auditor cannot obtain sufficient appropriate audit evidence regarding the services provided by the service organisation, the auditor must modify the opinion in accordance with SA 705 (Modifications to the Opinion in the Independent Auditor’s Report).
Depending on materiality and pervasiveness, the auditor may issue:
- A qualified opinion, or
- A disclaimer of opinion
Thus, access limitations or inadequate evidence can directly affect the audit report.
Reference to the Work of a Service Auditor
When Expressing an Unmodified Opinion
The auditor shall not refer to the work of a service auditor in the audit report when expressing an unmodified opinion unless law or regulation requires such reference.
If law or regulation requires reference, the auditor must clearly state that such reference does not reduce the auditor’s responsibility for the opinion.
When Explaining a Modified Opinion
If the auditor refers to the service auditor’s work to explain a modification, the report must clearly indicate that the reference does not diminish the auditor’s responsibility.
Professional accountability always remains with the user auditor.
Documentation Requirements
The auditor must document:
- The understanding of the service organisation and its environment
- Identified risks of material misstatement
- The basis for reliance on service auditor reports, if any
- The nature, timing, and extent of audit procedures performed
Clear documentation supports audit quality and compliance with professional standards.
Conclusion
SA 402 ensures that outsourcing does not weaken audit assurance. The auditor must understand the services performed by the service organisation, evaluate related controls, assess risks, and design appropriate audit procedures.
Even when a third party performs significant functions, the user auditor remains fully responsible for expressing an independent and professional audit opinion.
